Overview

Event Information

Date (UTC)

Description

2009-08-18 10:24

SANS Internet Storm CenterMS09-039 exploit in the wild?We received a note from a reader who wanted to remain anonymous that the MS09-039 vulnerability is actively exploited in the wild. To remind you, this vulnerability affects servers with the WINS service installed. The patch fixes two vulnerabilities.

2009-08-12 04:17

SymantecThreatCON (2) => (2)On August 11, 2009 Microsoft issued nine security bulletins as part of the monthly patch cycle. Five of these bulletins are rated 'Critical' and four are rated 'Important.'

US-CERTMicrosoft Releases August Security BulletinUS-CERT Current Activity
Microsoft has released an update to address vulnerabilities in Microsoft Windows, Office, Visual Studio, ISA Server, BizTalk Server, Remote Desktop Connection Client for Mac, and .NET Framework as part of the Microsoft Security Bulletin Summary for August 2009. These vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, or cause a denial-of-service condition.

SANS Internet Storm CenterInfocon returning to green from MS Advisory 973472INFOCon (2) => (1)
After the rush of the new vulnerability being published, exploits in the wild, and malware being distributed it is time to return the Infocon to normal status. Hopefully it has served its purpose of raising awareness of the Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution CVE-2009-1136 and Microsoft advisory 973472.

SymantecThreatCON (2) => (2)On July 13, 2009, Microsoft published a security advisory disclosing a previously unknown vulnerability in Office Web Components. The issue is reportedly being exploited in the wild. Currently, no patch is available.

US-CERTMicrosoft Releases Security Advisory 973472US-CERT Current Activity
Microsoft has released Security Advisory 973472 to alert users about a vulnerability in Microsoft Office Web Components. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code. The advisory indicates that Microsoft is aware of attacks attempting to exploit the vulnerability.

Zero Day Initiative (ZDI)ZDI-09-053: Microsoft Windows WINS Service Heap Overflow VulnerabiliyWINS Heap Overflow Vulnerability (CVE-2009-1923, MS09-039)
Vulnerability Reported
The specific flaw exists within the WINS.exe process which provides name resolution services for NetBIOS networks. While parsing a push request the WINS service copies packet data to a static heap buffer while within a controlled loop. By providing a specially crafted request an attacker can overflow this heap buffer leading to arbitrary code execution under the SYSTEM context.

2008-12-05

iDefenseMultiple Vendor Microsoft ATL/MFC ActiveX Security Bypass VulnerabilityATL COM Initialization Vulnerability (CVE-2009-2493, MS09-035, MS09-037)
Vulnerability Reported
Depending upon certain characteristics of an OLE component designed with the Microsoft ATL, it is possible to cause one component to initialize an arbitrary secondary component. Ordinarily this behavior would not be a cause for alarm, however, certain applications employ various methods to verify that a control is Safe for Initialization. One such application is Internet Explorer.

2008-12-05

iDefenseMultiple Vendor Microsoft ATL/MFC ActiveX Type Confusion VulnerabilityATL Object Type Mismatch Vulnerability (CVE-2009-2494, MS09-037)
Vulnerability Reported
Depending upon certain characteristics of an OLE component designed with certain versions of the Microsoft ATL, it is possible to cause an object to use a variant of type VT_BSTR as a different object. In certain circumstances, an encoded BSTR can cause ATL code to set the COM type without checking to see if the type was successfully coerced. Upon return, the BSTR is treated as an object leading to an attacker being able to specify an address to call.

2008-11-19

Positive TechnologiesPT-2008-09: Microsoft Windows MSMQ Privilege Escalation VulnerabilityMSMQ Null Pointer Vulnerability (CVE-2009-1922, MS09-040)
Vulnerability Reported
The IOCTL handler in mqac.sys does not properly validate buffer data associated with the Irp object, which allows local users to crash the system or execute arbitrary code with SYSTEM privileges.

iDefenseMicrosoft Office Web Components 2000 Buffer Overflow VulnerabilityOffice Web Components Buffer Overflow Vulnerability (CVE-2009-1534, MS09-043)
Vulnerability Reported
When instantiating a Spreadsheet object, it is possible to pass the object a parameter that refers to an Excel file that will be retrieved and then loaded. By using a long string for the parameter, it is possible to case a stack based buffer overflow.

2007-12-11

Zero Day Initiative (ZDI)ZDI-09-056: Microsoft Office OWC10.Spreadsheet ActiveX BorderAround() Heap Corruption VulnerabilityOffice Web Components Heap Corruption Vulnerability (CVE-2009-2496, MS09-043)
Vulnerability Reported
The specific vulnerability exists in the OWC10.Spreadsheet.10 ActiveX control installed by Microsoft Office. By accessing specific methods in a certain order heap corruption occurs leading to remote code execution. If exploited, complete control of the affected system can be achieved under the rights of the currently logged in user.

2007-03-29

Zero Day Initiative (ZDI)ZDI-09-055: Microsoft Office OWC10 ActiveX Control Loading and Unloading Heap Corruption VulnerabilityOffice Web Components Memory Allocation Vulnerability (CVE-2009-0562, MS09-043)
Vulnerability Reported
The specific flaw exists when loading and unloading the vulnerable control (0002E543-0000-0000-C000-000000000046) and results in transfer of control to unallocated memory. This issue can be exploited to execute arbitrary code under the context of the currently logged in user user.